Security Engineer

Complete English Guide for Security Engineers

CVE advisory writing, penetration test reports, incident response communication, STRIDE threat modeling, and the precise English of responsible disclosure — the language of modern cybersecurity engineering.

8 sections · 25+ internal practice links · Intermediate – Advanced

Why English Matters for Security Engineers

Cybersecurity is perhaps the most language-intensive discipline in software engineering. A security engineer must write a CVE advisory that is simultaneously precise enough for other security professionals to reproduce a finding and accessible enough for a software vendor's legal team to act on. They must explain SQL injection to a non-technical executive in a board briefing, write a penetration test report that communicates risk without causing panic, and draft an incident response timeline that will later be scrutinised by lawyers, regulators, and the press.

English is the lingua franca of global cybersecurity. The National Vulnerability Database (NVD), MITRE ATT&CK, OWASP, CVE Program, and the vast majority of security research, conference talks, and advisories are all in English. Reading and interpreting CVE descriptions, CVSS score justifications, and MITRE ATT&CK technique descriptions accurately is a daily requirement. Misreading a severity level or misunderstanding an attack chain description can lead to incorrect prioritisation of patching work.

Security communication also spans an unusually wide range of audiences. The same vulnerability may need to be communicated to a software developer (focus on the code-level fix), a system administrator (focus on mitigation and workarounds), an executive (focus on business risk), and a regulator (focus on compliance impact). Each audience requires a different register and vocabulary — but all of them, in global organisations, requires English.

The sections below cover the specific English vocabulary and communication patterns you will need as a security engineer: the precise language of CVE and CVSS scoring, STRIDE and OWASP threat modeling, writing actionable penetration test reports, communicating during and after security incidents, and the careful phrasing of responsible disclosure.

Section 1: CVE & CVSS Scoring Language

The Common Vulnerabilities and Exposures (CVE) system and the Common Vulnerability Scoring System (CVSS) are the foundational vocabulary of vulnerability management. Reading and writing in these systems accurately is a core security engineering skill.

Reading and Writing CVE Descriptions

A well-formed CVE description follows a structured pattern: product name and version, vulnerability type, attack vector, and potential impact. Example: "A heap-based buffer overflow vulnerability in FooBar VPN client versions prior to 3.2.1 allows an unauthenticated remote attacker to execute arbitrary code with SYSTEM privileges by sending a specially crafted authentication packet." Every element of this sentence matters. "Heap-based buffer overflow" specifies the CWE (Common Weakness Enumeration) type. "Unauthenticated remote attacker" defines who can exploit it and from where. "Specially crafted" is standard CVE vocabulary for an intentionally malformed input. "Execute arbitrary code with SYSTEM privileges" describes the worst-case impact.

When writing your own CVE reports, use passive constructions for the vulnerability ("the application fails to sanitise user input") and active constructions for the attacker ("an attacker could leverage this to read arbitrary files"). Common CVE vocabulary includes: "bypass authentication," "escalate privileges," "disclose sensitive information," "cause a denial of service," "inject arbitrary commands," "path traversal," "out-of-bounds read/write," "use-after-free," and "integer overflow."

CVSS Score Communication

CVSS v3.x scores consist of a Base Score (0–10), a Temporal Score (adjusts for exploit maturity), and an Environmental Score (adjusts for your specific context). The Base Score is calculated from six metrics: Attack Vector (Network/Adjacent/Local/Physical), Attack Complexity (Low/High), Privileges Required (None/Low/High), User Interaction (None/Required), Scope (Unchanged/Changed), and Impact on Confidentiality/Integrity/Availability (None/Low/High).

When justifying a CVSS score to a team: "I've scored this as CVSS 9.8 Critical. The Attack Vector is Network because it's exploitable over the internet without any adjacency. Attack Complexity is Low — the exploit is reliable and requires no special conditions. Privileges Required is None and User Interaction is None, meaning any anonymous user can trigger it without any victim action. Confidentiality, Integrity, and Availability are all High because a successful exploit gives the attacker full control of the affected host." This kind of narrative justification is essential in security reports and peer reviews. Scores without written justification are easily misinterpreted.

Qualifier vocabulary: "Critical" (9.0–10.0), "High" (7.0–8.9), "Medium" (4.0–6.9), "Low" (0.1–3.9), "None" (0.0). In practice, "Critical" vulnerabilities require immediate response; "High" typically must be patched within 30 days; "Medium" within 90 days; "Low" in the next scheduled maintenance window. When discussing scoring disagreements: "I'd argue this should be High rather than Critical — the Attack Complexity should be High because the exploit requires a race condition that is non-trivial to reliably trigger."

Section 2: Threat Modeling Vocabulary (STRIDE & OWASP)

Threat modeling is the systematic process of identifying threats before building or deploying a system. Two frameworks dominate English-language threat modeling discussions: STRIDE (from Microsoft) and the OWASP Top 10. Both have specific vocabulary that you must be able to read, apply, and communicate fluently.

STRIDE Vocabulary

STRIDE is an acronym for six threat categories: Spoofing (impersonating something or someone), Tampering (modifying data or code), Repudiation (denying having performed an action), Information Disclosure (exposing information to unauthorised parties), Denial of Service (making a system or resource unavailable), and Elevation of Privilege (gaining capabilities beyond what is permitted). In a threat modeling session, you would describe threats using this vocabulary: "There's a Spoofing threat here — without mutual TLS, a man-in-the-middle could impersonate the payment service." / "This message queue has a Tampering risk — any service with read access can consume and re-enqueue messages without the consumer detecting modification." / "We have a Repudiation gap: the audit log writes are not signed, so a compromised admin account could delete log entries without detection."

A data flow diagram (DFD) is the standard artifact produced during a STRIDE threat modeling session. You annotate trust boundaries (lines that separate processes running at different privilege levels or in different security zones) and enumerate threats for each crossing. Vocabulary: "trust boundary," "data store," "process," "external entity," "data flow," "trust level," "attack surface."

OWASP Top 10 Communication

The OWASP Top 10 is a list of the most critical web application security risks, updated periodically. Each risk has an identifier (e.g., A03:2021 – Injection) and a standard description. When discussing OWASP risks in code reviews or design reviews, reference the identifier directly: "This endpoint is vulnerable to A03 – Injection. The query is constructed with string concatenation and user-supplied input is not parameterised." / "The session management here doesn't invalidate tokens on logout, which falls under A07 – Identification and Authentication Failures." Other commonly cited entries: A01 – Broken Access Control, A02 – Cryptographic Failures, A05 – Security Misconfiguration, A09 – Security Logging and Monitoring Failures.

OWASP also maintains several other important English-language resources: the OWASP Testing Guide (a comprehensive manual for security testing), the OWASP ASVS (Application Security Verification Standard — a checklist for security requirements), and the OWASP Cheat Sheet Series. Being fluent in the vocabulary of these documents is essential for communicating with other security professionals.

Section 3: Penetration Test Report Writing

A penetration test report is one of the most consequential documents a security engineer produces. It must be technically rigorous enough for developers to reproduce and fix every finding, yet accessible enough for executives to understand the business risk. It will often be reviewed by lawyers before being shared with clients. Getting the language right is not an optional extra.

Report Structure and Vocabulary

A professional penetration test report typically contains: an Executive Summary (high-level risk narrative for non-technical readers), a Scope and Methodology section (what was tested and how), a Findings section (detailed vulnerability descriptions), and a Remediation section (prioritised fix guidance). The Executive Summary uses risk-focused language: "The assessment identified three Critical and five High severity vulnerabilities that, if exploited by an external attacker, could result in full compromise of the customer database and exposure of PII for approximately 2.4 million users." Quantify impact when possible — specific numbers carry more weight than vague claims.

Each individual finding in the Findings section follows a standard structure: Finding Title, Severity (Critical/High/Medium/Low/Informational), CVSS Score, Affected Component, Description (what the vulnerability is), Evidence (proof — screenshots, request/response pairs, or code excerpts), Risk (what an attacker could do), and Remediation (how to fix it). The vocabulary for each element: "Affected endpoint: POST /api/v2/users/login," "The application does not enforce rate limiting on authentication attempts, permitting brute-force attacks," "An attacker could leverage this to enumerate valid usernames and subsequently compromise accounts via credential stuffing."

Describing Attack Chains

One of the most valuable parts of a penetration test report is the narrative of how multiple lower-severity findings chain together to produce a Critical outcome. This requires precise sequential language: "By combining Finding F-03 (unauthenticated SSRF) with Finding F-07 (internal metadata service accessible from application server), an attacker was able to obtain an IAM role credential for the production database role, subsequently granting read and write access to all customer records." Key vocabulary for attack chain narratives: "by leveraging," "subsequently," "which in turn allowed," "in combination with," "escalating to," "pivoting from," "chaining these two vulnerabilities."

Remediation language is equally important. Use specific, actionable phrasing: "Implement parameterised queries (prepared statements) for all database interactions. Replace the current string-concatenated query in UserRepository.findByEmail() at line 47." Avoid vague recommendations like "fix the injection vulnerability." The most useful remediation advice includes: the specific code location, the recommended fix, a code snippet if applicable, and a reference to the relevant OWASP Cheat Sheet or CWE entry.

Section 4: Incident Response Communication

Security incident response is a high-pressure, time-critical process in which precise communication is the difference between effective containment and escalating damage. The language of incident response has well-established conventions because the stakes of ambiguity are so high.

Incident Severity and Classification Language

Incidents are typically classified by severity: P0/SEV-1 (critical — active breach with ongoing impact), P1/SEV-2 (high — significant compromise contained or imminent), P2/SEV-3 (medium — limited impact or potential compromise), P3/SEV-4 (low — suspicious activity under investigation). When declaring an incident, use a standard template: "INCIDENT DECLARED — SEV-2 — Suspected unauthorised access to production database. Timeline: anomalous query pattern detected at 14:32 UTC. Incident Commander: @alexsmith. Current status: investigating initial access vector. Next update in 30 minutes." Clear, structured language enables parallel work across the incident response team.

The incident response lifecycle has specific vocabulary for each phase. Detection: "We have an IOC (Indicator of Compromise) — there are outbound connections to a known C2 server from the application cluster." Containment: "We have isolated the affected hosts and revoked the compromised service account credentials." Eradication: "The persistence mechanism (a scheduled task) has been removed and the initial access vector (the unpatched RCE in the VPN appliance) has been patched." Recovery: "We have restored from a known-good backup taken prior to the compromise window." Lessons Learned: "We will conduct a blameless postmortem on Friday — the calendar invite includes the preliminary timeline document."

Incident Timeline Language

An incident timeline is a chronological record of events, actions, and decisions. It uses a specific register: past tense, passive voice for automated events, active voice for human decisions, and UTC timestamps. Example entries: "14:32 UTC — Anomalous query pattern detected by database monitoring." / "14:45 UTC — Alert escalated to on-call security engineer (J. Smith)." / "15:01 UTC — Incident declared. Incident commander assigned." / "15:23 UTC — Decision made to isolate affected hosts. Justification: active data exfiltration suspected based on anomalous egress traffic." / "16:42 UTC — Forensic image taken of affected hosts prior to remediation." The timeline should record not only what happened but the decisions made and why — this is essential for the postmortem and for regulatory reporting.

Section 5: SOC Operations Language

The Security Operations Centre (SOC) has its own vocabulary, communication rhythms, and documentation conventions. Whether you work in a SOC, interact with one, or build tooling for one, understanding SOC English is essential in modern security engineering.

Alert Triage and Analysis Language

SOC analysts triage alerts using a disposition process: they classify each alert as a True Positive (TP — the alert correctly identified a real threat), False Positive (FP — the alert fired but there is no actual threat), or Benign True Positive (BTP — the alert correctly identified behaviour that is, in this case, expected). The language of triage: "This alert is a TP — the PowerShell execution spawned by the web process is consistent with the MITRE ATT&CK technique T1059.001 (Command and Scripting Interpreter: PowerShell) used in the initial stage of a ransomware deployment." / "Closing this as FP — the anomalous login from a new location is from the employee who is travelling and has confirmed the access."

SOC communication also uses MITRE ATT&CK technique identifiers as a shared language: "The lateral movement technique is T1021.002 — SMB/Windows Admin Shares. The attacker is using Pass-the-Hash to authenticate to adjacent hosts." Familiarity with the MITRE ATT&CK matrix vocabulary — Tactics (the "why"), Techniques (the "how"), and Sub-techniques (the specific implementation) — is now an expected fluency for security engineers worldwide.

Threat Intelligence Language

Threat intelligence has a specific vocabulary: IOC (Indicator of Compromise — a piece of evidence that a compromise has occurred, e.g., a malicious IP address or file hash), IOA (Indicator of Attack — evidence of attack behaviour in progress), TTP (Tactics, Techniques, and Procedures — the behavioural fingerprint of a threat actor), threat actor (an individual or group conducting attacks), and attribution (the process of identifying who is responsible for an attack). When sharing threat intelligence: "We have received CTI (Cyber Threat Intelligence) indicating that the threat actor group SCATTERED SPIDER is actively targeting companies in our sector using voice phishing (vishing) to bypass MFA. The TTPs match recent reports from CrowdStrike and Mandiant." / "The SHA-256 hash of the dropped payload matches a known Cobalt Strike beacon from the TA577 campaign documented in the ISAC feed."

Section 6: Responsible Disclosure & Security Advisories

Responsible disclosure (also called "coordinated vulnerability disclosure") is the process by which a researcher reports a vulnerability to a vendor before making it public, giving the vendor time to develop and release a fix. The English of this process is carefully calibrated — it must be precise, professional, and legally defensible.

Initial Disclosure Communication

An initial vulnerability report to a vendor should include: a clear subject line (e.g., "Security Vulnerability Report: Unauthenticated RCE in FooBar VPN Client"), a summary of the issue, full technical details (steps to reproduce, proof-of-concept code or video), your proposed CVSS score with justification, and a suggested disclosure timeline. The tone should be professional and collaborative, not adversarial: "I am writing to report a security vulnerability I discovered in FooBar VPN Client while conducting security research. I have followed responsible disclosure principles and have not shared this finding with any third parties. I am happy to work with your security team on an appropriate remediation timeline."

The disclosure timeline discussion uses specific vocabulary: "I propose a standard 90-day disclosure deadline, which is consistent with Google Project Zero and industry norms. If you require additional time due to the complexity of the fix, I am willing to extend this deadline by up to 14 days upon request. I intend to publish a full technical write-up and proof-of-concept code on [date], regardless of patch status, to protect users by enabling detection." Key terms: "disclosure deadline," "embargo period," "coordinated disclosure," "proof of concept (PoC)," "patch availability," "public disclosure."

Security Advisory Writing

A published security advisory is a formal document that informs users of a vulnerability and the available remediation. Advisories use a standardised structure: CVE identifier, CVSS score, affected versions, description, workarounds, and fixed version. The language is formal and precise: "A critical vulnerability (CVE-2024-XXXXX, CVSS 9.8) has been identified in FooBar VPN Client versions 3.0.0 through 3.2.0. This vulnerability allows an unauthenticated remote attacker to execute arbitrary code on affected systems." The remediation section uses imperative language: "Users are strongly advised to upgrade to version 3.2.1 immediately. If immediate upgrade is not possible, the following workaround mitigates the risk in the interim: [workaround steps]."

Section 7: Briefing Non-Technical Stakeholders

One of the most valuable and least-taught skills for security engineers is the ability to explain technical security findings to non-technical audiences: executives, board members, legal teams, regulators, and customers. This requires translating technical vulnerability language into business risk language without losing accuracy.

From Technical to Business Risk Language

Technical language and business risk language describe the same reality from different perspectives. A security engineer's technical finding becomes a business risk when you answer three questions: What could an attacker do? Who does it affect? What is the business impact? Compare: Technical: "An unauthenticated SQL injection in the login endpoint allows an attacker to dump the entire users table." Business risk: "A critical vulnerability in our customer login page could allow an external attacker to access the names, email addresses, and password hashes of all 850,000 registered customers. This would trigger mandatory notification obligations under GDPR and could result in significant regulatory fines and reputational damage." Same fact — different register.

Analogies are a powerful tool in executive briefings. "SQL injection is like a vending machine that, if you press the buttons in the wrong sequence, dispenses all of its products instead of just the one you paid for." / "Leaving a server exposed without a firewall is like leaving the front door of your office propped open overnight." When using analogies, follow the analogy with the precise technical consequence — the analogy provides intuition, but the precise statement is what gets recorded in board minutes.

Presenting Risk Scores and Patch Priority

When presenting patch priority to management, translate CVSS scores into business decisions: "We have three patches that need to be applied this week. The first is Critical — it has a CVSS 9.8 score and there are confirmed public exploits. This is a patch-now situation; every day of delay is a significant risk. The second and third are High severity — important but less immediately exploitable. I recommend patching these within the next two weeks during the next maintenance window." This kind of clear, prioritised guidance is what executives need — not raw CVSS numbers without context.

Most Useful Vocabulary & Phrases for Security Engineers

attack surface
'Removing the debug endpoint from production reduces the attack surface by eliminating an unauthenticated code execution path.'
lateral movement
'After the initial foothold, the attacker used lateral movement via Pass-the-Hash to reach the domain controller.'
privilege escalation
'The misconfigured sudo rule allows privilege escalation from the web service account to root.'
indicator of compromise (IOC)
'The threat intel feed provided three IOCs: two malicious IPs and a SHA-256 hash of the dropped payload.'
CVSS Base Score
'The CVSS Base Score of 9.8 reflects network exploitability, no authentication required, and high impact across all three CIA pillars.'
responsible disclosure
'I followed responsible disclosure and notified the vendor 90 days before publishing the advisory.'
proof of concept (PoC)
'The PoC code demonstrates that the SSRF can reach the internal metadata endpoint and return IAM credentials.'
blameless postmortem
'We will run a blameless postmortem on Thursday — the goal is to identify process gaps, not assign fault.'
defence in depth
'Even if the WAF is bypassed, defence in depth means the parameterised queries prevent actual injection.'
zero-day
'This is a zero-day — there is no patch available and no public PoC yet. We are engaging the vendor under embargo.'
false positive rate
'The SIEM rule has a high false positive rate — analysts are spending 80% of triage time closing FPs.'
hardening
'The CIS benchmark hardening removes 40 unnecessary services and applies security baselines to the OS configuration.'
threat actor
'The TTPs are consistent with a financially motivated threat actor targeting cloud credential theft.'
attack vector
'The attack vector is Network — the vulnerability is exploitable over the internet without any physical access.'
remediation
'Remediation requires upgrading to version 4.1.2. In the interim, the recommended workaround is to disable the affected endpoint.'
blast radius
'If this service account is compromised, the blast radius includes the entire customer data database.'
adversarial simulation
'The red team exercise simulates an adversarial attack to test our detection and response capabilities.'
chain of custody
'Maintain chain of custody for all forensic images — document who collected each artifact and when.'
misconfigurations
'Security misconfigurations in the S3 bucket policy exposed customer records without authentication.'
patch cadence
'Our current patch cadence for Critical CVEs is 24 hours — we need to verify the affected servers were all patched within SLA.'

Recommended Learning Path for Security Engineers

Stage 1: Foundation — Cybersecurity Basics

  1. 1
    Security Vocabulary set

    Build the core vocabulary of cybersecurity: attack types, vulnerability classes, defensive controls, and the standard English terms used in CVE descriptions and security reports.

  2. 2
    Cybersecurity Language exercises

    Practice applying cybersecurity vocabulary in realistic contexts — reading CVE descriptions, discussing CVSS scores, and interpreting vulnerability reports.

  3. 3
    Compliance & Security Language

    The English of security standards and compliance frameworks: GDPR, SOC 2, ISO 27001, PCI-DSS, and how to discuss security controls in compliance contexts.

Stage 2: Intermediate — Incident Response & Reporting

  1. 4
    Incident Response Language exercises

    The precise communication patterns of incident declaration, containment, eradication, and postmortem — including timeline writing and stakeholder updates.

  2. 5
    Pentest Communication exercises

    Writing findings, describing attack chains, and producing actionable remediation guidance in the language of professional penetration test reports.

  3. 6
    Security Lab Language exercises

    The hands-on vocabulary of security tooling, lab environments, and technical security research communication.

Stage 3: Advanced — Threat Modeling, Architecture & Disclosure

  1. 7
    Security Architecture Vocabulary

    The English of security design: zero trust architecture, defence in depth, security zones, trust boundaries, and the vocabulary for threat modeling with STRIDE.

  2. 8
    Identity & Access Management Vocabulary

    IAM vocabulary for modern cloud environments: OAuth 2.0, OIDC, RBAC, ABAC, privilege escalation, and the language of access control design reviews.

  3. 9
    Stakeholder Management Language

    Translating technical security findings into business risk language for executives, boards, and regulators.

Exercise Sets for Security Engineers

Practise the vocabulary and communication patterns covered in this guide with these focused exercise sets:

Vocabulary exercises

Collocations & interview preparation